Feds provide "little or no explanation of how Target Computer will be found."

A federal magistrate judge has denied (PDF) a request from the FBI to install sophisticated surveillance software to track someone suspected of attempting to conduct a “sizeable wire transfer from [John Doe’s] local bank [in Texas] to a foreign bank account.”

Back in March 2013, the FBI asked the judge to grant a month-long “Rule 41 search and seizure warrant” of a suspect’s computer “at premises unknown” as a way to find out more about these possible violations of “federal bank fraud, identity theft and computer security laws.”

In an unusually public order published this week, Judge Stephen Smith slapped down the FBI on the grounds that the warrant request was overbroad and too invasive. In it, he gives a unique insight as to the government’s capabilities for sophisticated digital surveillance on potential targets. According to the judge’s description of the spyware, it sounds very similar to the RAT software that many miscreants use to spy on other Internet users without their knowledge. (Ars editor Nate Anderson detailed the practice last month.)

According to the 13-page order, the FBI wanted to “surreptitiously install data extraction software on the Target Computer. Once installed, the software has the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s built-in camera; to generate latitude and longitude coordinates for the computer’s location; and to transmit the extracted data to FBI agents within the district.”

Neither an FBI spokesperson, nor Craig M. Feazel—who represents the FBI in this case and is an assistant United States Attorney—responded to Ars’ request for comment. Many civil libertarians, though, have raised serious questions as to what the government is up to.

“Hacking should be something that is the last resort, not the first option,” Chris Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, told Ars. “No one knows anything about [how the FBI’s software works]. We know from a [Freedom of Information Act request] that there was a [Computer and Internet Protocol Address Verifier software], but this seems to be much more sophisticated. This sounds like the kind of [spyware] stuff that Gamma is selling. As a general rule, we don’t think law enforcement should be in the hacking business. It’s sexy, but it’s terrifying.”

"Little or no explanation"

According to the judge’s order (PDF), the FBI has no idea where the suspect actually is, but noted that the “IP address of the computer accessing Doe’s account resolves to a foreign country.”

While IP addresses can certainly be easily spoofed, assuming the suspect actually is outside the United States, that raises significant questions as to the appropriate use of such a warrant. The judge agreed, noting that the “government’s application does not satisfy any [existing territorial limits].”

Further, the judge cited the government’s failure to meet the Fourth Amendment’s requirement of “place to be searched, and the persons or things to be seized.”

The Government’s application contains little or no explanation of how the Target Computer will be found. Presumably, the Government would contact the Target Computer via the counterfeit e-mail address, on the assumption that only the actual culprits would have access to that e-mail account. Even if this assumption proved correct, it would not necessarily mean that the government has made contact with the end-point Target Computer at which the culprits are sitting. It is not unusual for those engaged in illegal computer activity to “spoof” Internet Protocol addresses as a way of disguising their actual online presence; in such a case the Government’s search might be routed through one or more “innocent” computers on its way to the Target Computer. The Government’s application offers nothing but indirect and conclusory assurance that its search technique will avoid infecting innocent computers or devices.

The judge also berated the government for its failure to explain how precisely it would target the suspect’s computer, the suspect, and no one else.

What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit e-mail address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the e-mail address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government’s application does not supply them.

“This is the first time I've seen a public denial; the government has been very secretive about this surveillance tool and there hasn't been much litigation about it that I'm aware of,” Hanni Fakhoury, an attorney with the Electronic Frontier Foundation, told Ars. “I'm not surprised it came from Judge Smith. He's very outspoken on surveillance issues. His order finding cell site records protected by the Fourth Amendment is on appeal to the 5th Circuit (EFF argued the case). And he's issued orders denying requests for tower dump and a stingray before too.”

Cyrus Farivar
Cyrus is a Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is due out in May 2018 from Melville House. He is based in Oakland, California. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar